Small business lending rule FAQs

A covered credit transaction is an extension of business credit (as that term is defined in 12 CFR § 1002.2(g)) that is not excluded pursuant to the small business lending rule. 12 CFR §§ 1002.102(d) and 1002.104.

For this purpose, “business credit” includes credit used primarily for an agricultural purpose as well as credit primarily used for a business or commercial purpose. Thus, covered credit transactions include loans, lines of credit, credit cards, merchant cash advances, and other credit products used primarily for agricultural, business, or commercial purposes. See Comment 104(a)-1. However, factoring, leases, and consumer-designated credit are not covered credit transactions because they do not satisfy the definition of business credit. Comments 104(b)-1 through -3.

The small business lending rule specifically excludes the following extensions of business credit from the definition of covered credit transaction: trade credit, HMDA-reportable transactions, insurance premium financing, public utilities credit, securities credit, and incidental credit. 12 CFR § 1002.104(b).

Additionally, purchases of covered credit transactions, purchases of an interest in a pool of covered credit transactions, and purchases of a partial interest in a covered credit transaction (such as through a loan participation agreement) are not themselves covered credit transactions. Comment 104(a)-4.

For additional information on covered credit transactions, see Section 2.2 of the small entity compliance guide .

Updated June 28, 2023

Yes. An extension of consumer-designated credit is not a covered credit transaction, even if its proceeds are used for business or agricultural purposes. A transaction qualifies as consumer-designated credit if the financial institution offers or extends the credit primarily for personal, family, or household purposes. For example, an open-end credit account used for both personal and business/agricultural purposes is not business credit under the small business lending rule unless the financial institution designated or intended for the primary purpose of the account to be business/agricultural-related. Comment 104(b)-3. If the financial institution extends the credit primarily for a business or agricultural purpose, then it is not consumer-designated credit.

Financial institutions should note that various consumer laws, including consumer disclosure laws and regulations, may apply to consumer-designated credit transactions.

Updated September 14, 2023

As explained in the preamble to the small business lending rule, merchant cash advances are a form of financing for businesses that purport to be structured as a sale of potential future income. They are an extension of business credit that is not excluded from coverage pursuant to the small business lending rule. Comment 104(a)-1.

Merchant cash advances, which are typically offered by lenders that are not depository institutions, may vary in form and substance. However, under a typical merchant cash advance, a merchant receives a cash advance and promises to repay it plus some additional amount or multiple of the amount advanced (e.g., 1.2 or 1.5, the “payback” or “factor” “rate”). The merchant promises to repay by either pledging a percentage of its future revenue, such as its daily credit and debit card receipts (the “holdback percentage”), or agreeing to pay a fixed daily withdrawal amount to the merchant cash advance provider until the agreed upon payment amount is satisfied. Merchant cash advance contracts often provide for repayment directly through the merchant’s card processor and/or via Automated Clearing House withdrawals from the merchant’s bank account. Merchant cash advances constitute the primary product under an umbrella term often referred to as “sales-based financing;” generally, transactions wherein a financial institution extends funds to a business and repayment is based on the business’s anticipated sales, revenue, or invoices. See 88 Fed. Reg. 35150, 35220 (May 31, 2023).

Updated September 14, 2023

No, letters of credit, as described in the preamble to the small business lending rule, are not covered credit transactions because they are not credit. 88 Fed. Reg. 35150, 35245-46 (May 31, 2023).

Generally, a letter of credit is an instrument issued by a bank that promises, upon the presentation of certain documents and/or satisfaction of certain conditions, to direct payment to a beneficiary of the instrument. Letters of credit are often presented by buyers of goods who seek to postpone payment until their goods have been received. Some letters of credit are secured by a promissory note and are converted if the customer fails to pay. The issuance of such letters of credit are not extensions of credit.

As noted in comments 104(b)-1 and -2, the name used by a financial institution for a product is not determinative of whether it is a covered credit transaction. Accordingly, if a financial institution develops a product that it calls a “letter of credit” that includes an extension of credit (i.e., permits an applicant to defer payment of a debt, incur debt and defer its payment, or purchase property or services and defer payment therefor), that product might be a covered credit transaction. Additionally, if a financial institution extends credit when the letter is presented for payment or an option is exercised pursuant to the letter of credit, that extension of credit may also be a covered credit transaction.

Updated September 14, 2023

Generally, yes. While the purchase of a partial interest in a credit transaction, such as through a loan participation agreement, is not a covered credit transaction (see comment 104(b)-4), the underlying loan itself is a covered credit transaction as long as it is an extension of business credit to a small business and is not excluded pursuant to the small business lending rule. Thus, if the lead lender is the only financial institution needed to make a credit decision in order to originate the loan or if the lead lender is the last financial institution with authority to set the material terms of the loan, the lead lender counts the loan (assuming it is made to a small business, is primarily for a business, commercial, or agricultural purpose, and is not excluded) as a covered origination and is responsible for reporting the application (assuming the lender is a covered financial institution).

Updated September 14, 2023

No, an extension of business credit by a financial institution other than the supplier of the goods or services being financed is not trade credit for purposes of the small business lending rule. Comment 104(b)(1)-1.

Trade credit, which is excluded from the definition of a covered credit transaction, is a financing arrangement wherein a business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services. 12 CFR 1002.104(b)(1). Trade credit may involve a supplier that finances the sale of equipment, supplies, or inventory. However, an extension of business credit by a financial institution other than the supplier for the financing of such items is not trade credit. Also, credit extended by a business providing goods or services to another business is not trade credit for the purposes of the small business lending rule where the supplying business intends to sell or transfer its rights as a creditor to a third party. Comment 104(b)(1)-1.

For example, if a retailer sells goods, such as seeds, to a small business and allows the small business to defer payment, the transaction is trade credit that is excluded from coverage under the small business lending rule. However, if a retailer sells seeds to a small business and the small business pays for them using the proceeds of a loan from a bank, credit union, or financing company, the transaction is not trade credit. This is true even if the financing company is affiliated with the retailer.

Updated September 14, 2023

The term “business” has the same meaning as “business concern or concern” in 13 CFR § 121.105 of the Small Business Administration’s (SBA) regulations, and the term “small business” has the same meaning as the term “small business concern” in the Small Business Act, 15 USC § 632(a), as implemented in 13 CFR §§ 121.101 through 121.107 of the SBA’s regulations. 12 CFR § 1002.106. Thus, a small business generally is a business organized for profit, with a place of business located in the United States, and which operates primarily within the United States or which makes a significant contribution to the U.S. economy through payment of taxes or use of American products, materials, or labor. 13 CFR § 121.105(a). A small business can take a variety of legal forms, and can be an individual proprietorship, partnership, limited liability company, corporation, joint venture (with no more than 49 percent participation by foreign businesses), association, trust or cooperative. 13 CFR § 121.105(b).

Notwithstanding the size standards set forth in the SBA’s regulations, a business is a small business for purposes of the small business lending rule if its gross annual revenue for its preceding fiscal year was $5 million or less. 12 CFR § 1002.106(b). A financial institution is permitted to rely on an applicant’s representations regarding gross annual revenue (which may or may not include any affiliate’s revenue) for purposes of determining small business status. However, if the applicant provides updated gross annual revenue information during the application process or the covered financial institution verifies the gross annual revenue information during the application process, the financial institution must use the updated or verified information in determining small business status. Comment 106(b)(1)-3.

While a financial institution may aggregate gross annual revenue for affiliated applicants, it cannot aggregate unaffiliated co-applicants’ gross annual revenue for purposes of determining small business status. Comment 106(b)(1)-3. For this purpose, one business is an “affiliate” of another when one controls or has the power to control the other, or a third party controls or has the power to control both. It does not matter whether control is exercised, so long as the power to control exists. See 13 CFR § 121.103.

Every five years after January 1, 2025, the CFPB shall adjust the gross annual revenue threshold, as necessary, based on changes to the Consumer Price Index for All Urban Consumers, as published by the United States Bureau of Labor Statistics. Any adjustment shall be rounded to the nearest multiple of $500,000 and take effect on the following January 1. 12 CFR § 1002.106(b)(2); Comment 106(b)(2)-1.

Updated June 28, 2023

Yes, an individual or sole proprietorship can be a small business pursuant to the small business lending rule. This is true regardless of whether the individual has formed an entity under applicable law to operate the business, whether the individual is doing business in the individual’s own name, or whether the individual is doing business using a trade name or other name (such as a DBA). See 13 CFR § 121.105(b).

Updated June 28, 2023

No, a financial institution does not include an individual’s personal income when calculating a sole proprietorship’s gross annual revenue because it is not revenue earned by the for-profit business applying for a covered credit transaction. Gross annual revenue is the amount of money earned by the business itself, before subtracting taxes and other expenses. See Comment 107(a)(14)-1. For example, assume an individual earns a salary working as an employee of Company A and also owns Company B, a business that purchases and operates commercial rental properties. If Company B applies for or obtains a covered credit transaction, the financial institution does not consider the individual’s salary from Company A when determining if Company B is a small business.

Updated September 14, 2023

Generally, yes. If a new or recently started business did not operate in the preceding fiscal year (and thus did not have gross annual revenue for its preceding fiscal year) and does not have affiliates with gross annual revenue exceeding $5 million in their preceding fiscal year, the new or recently started business is a small business. Comment 107(a)(14)-4. However, as set forth in the SBA’s regulations, a business is not treated as a separate business concern if a substantial portion of its assets and/or liabilities are the same as those of a predecessor entity. In such a case, the annual receipts of the predecessor business can be taken into account in determining gross annual revenue and may result in a determination that a new or recently started business is not a small business. See 13 CFR § 121.105(c).

When determining whether a business is a small business, a financial institution may rely on an applicant’s representations regarding gross annual revenue. A financial institution is permitted, but not required, to aggregate an applicant’s gross annual revenue with its affiliates’ gross annual revenue. Thus, if a new business states that its and its affiliates’ combined gross annual revenue exceeds $5 million and the financial institution does not verify gross annual revenue, the business is not a small business. However, if the financial institution obtains updated gross annual revenue information or verifies gross annual revenue, it must determine if the business is a small business based on the updated or verified information. Comment 106(b)(1)-3. See also comments 107(a)(14)-1 and -3.

Updated June 28, 2023

Maybe. It depends on whether the entity’s gross annual revenue, which may or may not include affiliates’ gross annual revenue, exceeds $5 million. Comment 107(a)(14)-3.

When determining whether a business is a small business, a financial institution may rely on an applicant’s representations regarding gross annual revenue, which may or may not include affiliates’ revenue. Thus, if an applicant states that its and its affiliates’ combined gross annual revenue exceeds $5 million and the financial institution does not verify gross annual revenue, the business is not a small business. However, if the financial institution updates or verifies gross annual revenue (which may include its affiliates’ gross annual revenue), it must determine if the business is a small business based on the updated or verified information. Comment 106(b)(1)-3. See also comments 107(a)(14)-1 and -3.

Updated June 28, 2023

No, the definition of applicant does not include other persons who are or may become contractually liable regarding an extension of business credit such as guarantors, sureties, endorsers, and similar parties. Thus, a financial institution does not consider such persons’ revenue in determining whether an applicant or borrower is a small business. 12 CFR 1002.102(b). See also 88 Fed. Reg. 35150, 35196 (May 31, 2023).

Updated September 14, 2023

“Firewall” is a term sometimes used to describe a provision in the small business lending rule that prohibits certain employees and officers of covered financial institutions (and certain of their affiliates’ employees and officers) from accessing demographic information obtained from small business applicants pursuant to the rule. Notwithstanding this general prohibition, if a covered financial institution determines that an employee or officer that is otherwise subject to the firewall should have access to such information, that employee or officer may have access to the information if the covered financial institution provides a required notice to, at least, the small business applicants whose demographic information will be accessed. 12 CFR 1002.108.

Section 5.1 of the small entity compliance guide discusses the scope of the firewall’s prohibition on certain employees and officers accessing certain demographic information. Section 5.2 of the small entity compliance guide discusses the exception to the firewall’s prohibition and how a financial institution may determine that an employee or officer should have access to the demographic information protected by the firewall. Section 5.3 of the small entity compliance guide discusses the notice that a covered financial institution must provide if it wants to rely on the exception.

Updated September 14, 2023

If a covered financial institution determines that an employee or officer who is involved in making a determination concerning a covered application “should have access” to the demographic information collected pursuant to the small business lending rule, it means that it is not feasible to maintain a firewall as to that particular employee or officer. 12 CFR 1002.108(b), (c). The covered financial institution is not required to perform a separate analysis of the feasibility of establishing or maintaining a firewall. It is only required to determine whether the employees and officers who are involved in making determinations concerning covered applications should have access to protected demographic information. Comment 108(c)-1.

However, a determination that one employee or officer (or one group of employees or officers) should have access to demographic information protected by the firewall does not mean that is not feasible to maintain a firewall for other employees and officers who are involved in making determinations concerning covered applications. Comment 108(c)-1.

See Firewall Question 3 for a discussion of how a covered financial institution satisfies the exception to the firewall prohibition. For more information on the firewall generally, see Section 5 of the small entity compliance guide .

Updated September 14, 2023

The small business lending rule’s firewall provision contains both a prohibition and an exception. Generally, a covered financial institution must prohibit an employee or officer who is involved in making a determination concerning a covered application from accessing the demographic information that the applicant provides pursuant to the small business lending rule. However, a covered financial institution may comply with the rule by satisfying the exception in the firewall provision. 12 CFR 1002.108.

If a covered financial institution wants to rely on the exception, it should first determine which employees and officers (or which groups of employees and officers) are involved in making determinations concerning covered applications. If an employee or officer is involved in making a determination concerning a covered application, then the covered financial institution must either establish and maintain a firewall to prohibit that employee or officer from accessing the demographic information that is protected by the firewall or must satisfy the exception with regard to that employee or officer. If an employee or officer is not involved in making determinations concerning covered applications, the firewall prohibition does not apply to that employee or officer regardless of whether the covered financial institution satisfies the exception.

Next, the covered financial institution determines which, if any, employees and officers (or which groups of employees and officers) who are involved in making determinations concerning covered applications “should have access” to the demographic information that is protected by the firewall (i.e., the demographic information collected pursuant to the small business lending rule). 12 CFR 1002.108(c). A covered financial institution may determine that an employee or officer “should have access” if that employee or officer may need to collect, see, consider, refer to, or otherwise use protected demographic information to perform the employee’s or officer’s assigned job duties. 12 CFR 1002.108(a)(2); comment 108(a)-2.i. A covered financial institution may make this determination on an individual-by-individual basis, or it may determine that a group of employees or officers with the same job description or assigned duties should have access for purposes of the exception. If a covered financial institution assigns one or more tasks that may require access to protected demographic information to everyone with a particular job title, the covered financial institution may determine that everyone who has that job title should have access. For example, if a job description, a policy, a procedure, or another document states that all employees and officers who are loan officers may have to collect or explain any part of a form collecting demographic information required under the small business lending rule, the covered financial institution may determine that all employees and officers who have been assigned the position of loan officer should have access to protected demographic information. Comment 108(a)-2.ii.

Finally, if a covered financial institution determines that any employees or officers (or any groups of employees or officers) who are involved in making determinations concerning covered applications should have access to the demographic information that is protected by the firewall, the covered financial institution must provide a required notice. At a minimum, a covered financial institution must provide the required notice to the applicants whose protected demographic information will be accessed by the employees and officers that it has determined should have access (as discussed above). 12 CFR 1002.108(d). Alternatively, the covered financial institution may provide the required notice to a larger group of applicants. For example, a covered financial institution could provide the notice to all small business applicants for covered credit transactions or all small business applicants that are applying for a specific type of product or that are applying at a particular location. 12 CFR 1002.108(d); comment 108(d)-1. This notice must inform an applicant that one or more employees and officers involved in making determinations concerning the applicant’s covered application may have access to the applicant’s responses regarding its minority-owned business status, women-owned business status, LGBTQI+-owned business status, and its principal owners’ ethnicity, race, and sex. Comment 108(d)-2. A covered financial institution may, but is not required to, use the sample language in the sample data collection form for this notice.

If a covered financial institution completes these steps (including providing the required notice), it may permit the employees and officers that it has determined are assigned one or more job duties that may require the employee or officer to collect, see, consider, refer to, or otherwise use the demographic information subject to the firewall prohibition to have access to that information. However, it may not permit other employees and officers who are involved in making determinations regarding covered applications to access demographic information that is protected by the firewall, unless it also determines that those employees and officers should have access to protected demographic information. In other words, if the covered financial institution provides the notice required by the rule, it is not required to maintain a firewall with regard to the employees and officers that it determines “should have access,” but is required to maintain a firewall as to any other employees and officers who are involved in making determinations concerning covered applications. Comment 108(c)-1.

For example, assume that a covered financial institution’s chief executive officer, commercial loan officers, compliance officers, and underwriters make determinations concerning covered applications. The commercial loan officers and compliance officers have been assigned one or more job duties that may require them to collect, see, consider, refer to, or otherwise use demographic information protected by the firewall, but the chief executive officer and underwriters have not been assigned such duties (i.e., the financial institution determines that the commercial loan officers and compliance officers should have access, but does not determine that the chief executive officer and underwriters should have access). Based on these facts, if the covered financial institution provides the required notice, it may permit the commercial loan officers and compliance officers to access the demographic information protected by the firewall, but it cannot permit the chief executive officer or underwriters to access such information.

For more information on which employees and officers are subject to the firewall and more information on the demographic information that is protected by the firewall, see Section 5.1 of the small entity compliance guide . For more information on how to determine if an employee or officer should have access to the demographic information that is protected by the firewall, see Section 5.2 of the small entity compliance guide . For more information about the notice that a covered financial institution must provide to satisfy the exception to the firewall prohibition, see Section 5.3 of the small entity compliance guide .

Updated September 14, 2023

No, a covered financial institution is not required to change its systems or processes for the sole purpose of determining which employees and officers should have access (i.e., whether the exception in the firewall provision applies). Comment 108(a)-2.iii.

A covered financial institution is permitted to choose what lawful factors it will consider when determining whether an employee or officer should have access to an applicant’s demographic information collected pursuant to the small business lending rule. A covered financial institution’s determination that an employee or officer should have access may take into account relevant operational factors and lawful business practices. For example, a covered financial institution may consider its size, the number of employees and officers within the relevant line of business or at a particular branch or office location, and/or the number of covered applications the covered financial institution has received or expects to receive. Additionally, a covered financial institution may consider its current or its reasonably anticipated staffing levels, operations, systems, processes, policies, and procedures. A covered financial institution is not required to hire additional staff, upgrade its systems, change its lending or operational processes, or revise its policies or procedures for the sole purpose of limiting who should have access. Comment 108(a)-2.iii.

Updated September 14, 2023

Yes, a covered financial institution can determine that employees or officers in some business units should have access to protected demographic information, even if it maintains a firewall for employees or officers in other business units. If the covered financial institution provides the required notice to the appropriate small business applicants, it may rely on the exception for the employees and officers it has determined should have access.

Although the small business lending rule permits a covered financial institution to make determinations that members of a group of similarly situated employees or officers should have access, it also permits a covered financial institution to make this determination of who should have access on an individual-by-individual basis. Comment 108(c)-2. Additionally, any determination that a group of employees or officers should have access must be based on the employees or officers in that group having been assigned a task that may require the employees or officers to collect, see, consider, refer to, or otherwise use demographic information protected by the firewall. If employees or officers share a job title, but have not all been assigned such a task, they are not a group of similarly situated employees for purposes of the firewall provision. For example, if five employees have the same job title and all five of them are involved in making determinations concerning covered applications, but only three of them have been assigned a task that may require them to collect, see, consider, refer to, or otherwise use demographic information protected by the firewall, the covered financial institution is not permitted to determine that the other two employees should have access to the demographic information protected by the firewall. Comment 108(a)-2.ii.

Updated September 14, 2023

No, unless the covered financial institution determines that the employee or officer should have access to the applicant’s protected demographic information (i.e., the demographic information collected pursuant to the small business lending rule) and provides the required notice to the applicant. 12 CFR 1002.108. The small business lending rule does not limit the time that the firewall prohibition applies. Thus, a covered financial institution cannot permit an employee or officer who was involved in making a determination concerning an applicant’s covered application to access that applicant’s protected demographic information after final action is taken, unless the covered financial institution determines that the employee or officer should have access and provides the required notice before permitting the employee or officer to access protected demographic information.

Updated September 14, 2023

The firewall provision does not include any specific documentation requirements. See 12 CFR 1002.108. In general, however, a covered financial institution must retain evidence of compliance with the small business lending rule for at least three years after its small business lending application register is required to be submitted to the CFPB. 12 CFR 1002.111(a). Evidence of compliance with the firewall provision may include, but would not be limited to, documents, such as job descriptions or procedures, that support the financial institution’s determinations of who should have access.

Updated September 14, 2023

The small business lending rule has two primary record retention requirements.

First, a covered financial institution must retain evidence of compliance with the small business lending rule, including a copy of its small business lending application register, for at least three years after the register is required to be submitted to the CFPB. 12 CFR 1002.111(a); comment 111(a)-1.

Second, a covered financial institution must maintain demographic information collected pursuant to the small business lending rule separate from the rest of the application and accompanying information. The demographic information that must be maintained separately consists of an applicant’s response to the covered financial institution’s inquiry regarding (1) whether it is a minority-owned business, a women-owned business, and/or an LGBTQI+-owned business, and (2) the ethnicity, race, and sex of the applicant’s principal owners. 12 CFR 1002.111(b). A covered financial institution is permitted to maintain information regarding the applicant’s number of principal owners with an applicant’s responses to its requests for demographic information. Comment 111(b)-2.

When reporting a small business lending application register to the CFPB, maintaining a copy of the register as evidence of compliance, and maintaining a record of demographic information collected pursuant to the rule separate from the rest of the application, a covered financial institution must not include any name, specific address, telephone number, email address, or any other personally identifiable information concerning any individual who is, or is connected with, an applicant, other than as required by the rule. See 12 CFR 1002.107; 1002.111(b).

For additional information on the small business lending rule’s record retention requirements, see Section 6 of the small entity compliance guide .

Updated September 14, 2023

Yes. The requirement to maintain demographic information collected pursuant to the small business lending rule separate from the rest of the application and accompanying information applies regardless of whether a covered financial institution relies on the exception in the firewall provision. That exception only applies to the firewall prohibition in 12 CFR 1002.108. The exception to the firewall prohibition does not extend to the record retention requirements in 12 CFR 1002.111.

Updated September 14, 2023